With an inline deployment, emails are thoroughly examined before it reaches a recipient’s inbox. Email Gateway Defense becomes a step in the SMTP processing sequence and actively engages with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox.
Benefits
An inline deployment provides customers with layered security and filtering. Filtering messages in a gateway helps to ensure that malicious emails are never delivered. Finally, an API integration with Barracuda Impersonation Protection provides post-delivery detection and protection.
Another benefit to inline deployment is the ability to improve email security without depending on changes to DNS MX records. This is particularly helpful when various teams manage different aspects of your organization.
Limitations
Inline deployments are not without disadvantages. For example, email continuity and spooling are not available. In some cases, when emails are received from other Microsoft 365 customers, SPF and DMARC checks will not be performed.
Getting Started
The following sections detail how to configure Email Gateway Defense and add mail flow rules and connectors to route emails.
Configure Email Gateway Defense
Log into your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.
In the Email Gateway Defense wizard, enter a valid email address from the email server domain you want to protect with Email Gateway Defense. Click Detect email server.
The system automatically auto-fills your destination mail server.Click Save and Exit to exit the wizard.
Verify your domain by sending an email to the postmaster email address for your domain. A postmaster is a mail server’s administrator and has the associated email address postmaster@domain.com.
On the Domains page, click Edit. Under Mail Servers, click Add Mail Server and enter your mail server.
On the Domains page, note the primary and backup MX records. You will need this when setting up mail flow rules in Exchange.
Note that a warning message such as “MX records are misconfigured” will appear on the Domains page and can be ignored.
Go to the Inbound Settings > IP Address Policies page. Using Bulk Edit, add the following Microsoft365 Exchange Online IP address ranges as Trusted Forwarders. These are subject to change based on Microsoft.
40.92.0.0,255.254.0.0,Office365 40.107.0.0,255.255.0.0,Office365 52.100.0.0,255.252.0.0,Office365 104.47.0.0,255.255.128.0,Office365
For more information, see the Microsoft article https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online..
Your initial configuration of Email Gateway Defense is complete.
Set Up Exchange Online
This inline deployment option is a separate set up from the standard deployment option. Choose only one of the options when setting up Email Gateway Defense.
For the standard deployment option, see Step 2 - Configure Microsoft 365 for Inbound and Outbound Mail.
For the inline deployment option, use the following steps to set up your inbound/outbound connectors and mail flow rules.
Set Up a New Outbound Connector From Microsoft 365 to Barracuda Networks
Set Up a New Inbound Connector From Partner to Microsoft 365
Create a partner connector to establish a secure connection between Barracuda and Microsoft servers when receiving processed mail by Barracuda Networks.
Set Up Mail Flow Rules
Before setting up the mail flow rules, create a secret value. This will be used in the mail flow rules and will ensure mail is always scanned by Email Gateway Defense. For example, you can use openssl rand -hex 32
to create a 256-bit secret key. Ensure that the key is US ASCII characters only since it will be used in an email header. You can also use this link to create the secret key https://www.cryptool.org/en/cto/openssl/.
Log into the Microsoft 365 admin center https://admin.exchange.microsoft.com/.
In the left pane, click mail flow, and click rules.
Click Add a rule.
Select Create a new rule.
In the new rule page, enter a Name to represent the rule. For example, Forward to Barracuda Networks unless secret header is present.
Under Apply this rule if, select The sender > is external/internal > Outside the organization.
Under Do the following:
Select Redirect the message to > the following connector, and select the connector you defined above in Set Up a New Outbound Connector.
Select Modify the message properties > set a message header X-BARRACUDA-SECRET to the value <your-secret-key>.
Under Except if:
Select A message header > matches these text patterns X-BARRACUDA-SECRET matches <your-secret-key>.
Select The sender > IP address is in any of these ranges or exactly matches <your Email Gateway Defense region>. To find your Email Gateway Defense region, see Email Gateway Defense Outbound IP Ranges.
Click Save.
On the Set rule settings page, set the Severity to High and check Stop processing more rules.
Click Next. Review the settings and then click Finish.
On the Rules page, select the Forward to Barracuda Networks unless secret header is present rule and use the Move up button to move the rule to the top of the list.
Alternatively, you can also edit rule settings and set its Priority to 0.Create another new rule and name it Remove Barracuda header secret from scanned emails.
Under Apply this rule if, select A message header > matches these text patterns X-BARRACUDA-SECRET matches <your-secret-key>.
Under Do the following, select Modify the message properties > remove a message header X-BARRACUDA-SECRET.
On the Set rule settings page, set the Severity to High. Ensure Stop processing more rules is unchecked.
Click Next. Review the settings and then click Finish.
On the Rules page, select the Remove Barracuda header secret from scanned emails rule and use the Move up or Move down button to move the rule to the second position of the list.
Alternatively, you can also edit rule settings and set its Priority to 1.Set up additional allow policies for spoofing.
Go to https://security.microsoft.com/tenantAllowBlockList and click on Spoofed Senders.Add two new entries, both with
*,barracuda.com
as the domain pair, one for internal and one for external.